Kerberose

[Reza]

Hi

I have made a one way trust between my forest and my cutomer's forest. I
have developed a web application in my forest. My customer tries to connect
to my web application from his forst, does something in my forest (I have set
the persmission for him) and comes back to his forest to do something threre.
The problem is in the last step which fails because it is more than one hop
and Kerberose does not work across forests. Anybody knows any solution? How
can I access network resources in 2 different forests through a single web
application?

Regards
Reza

[Ken Schaefer]

AFAIK, Kerberos should work across forests, assuming you have the necessary
forest trusts in place and appropriate delegation is configured (if
required). How else does a user get access to resources in a remote forest?

Cheers
Ken

--
Blog: [url]www.adopenstatic.com/cs/blogs/ken/[/url]
Web: [url]www.adopenstatic.com[/url]


"Reza" <Reza@discussions.microsoft.com> wrote in message
news:66502016-8952-4E9A-B84D-870B70FB8615@microsoft.com...
: Hi
:
: I have made a one way trust between my forest and my cutomer's forest. I
: have developed a web application in my forest. My customer tries to
connect
: to my web application from his forst, does something in my forest (I have
set
: the persmission for him) and comes back to his forest to do something
threre.
: The problem is in the last step which fails because it is more than one
hop
: and Kerberose does not work across forests. Anybody knows any solution?
How
: can I access network resources in 2 different forests through a single web
: application?
:
: Regards
: Reza

[Reza]

Thank you Ken:

The exact scenario is like this: An administrator from the trusted forest
connects to my web application in the trusting forest. Surely he can do it
because of the trust. In my web page I tried to impersonate as him and create
a global group in his forest. Since he is an administrator he must be able to
do it but here I get an error. I did the same thing through a desktop
application which I Run As him in my forest (trusting forest) and it works
fine. Why can't I do it through web? His account is NOT sensitive and can
not be delegated and my IIS computer is trusted for delegation so everything
is fine for delegation. Another test is that when I change security in IIS to
Basic Authentication it works but in Integrated windows it is not working.
That made me think it is probably because of Kerberos. Documentation says
delegation for Kerberos needs all computers to be in the same forest. I ran
the same test in a single forest again with the same result. The error is
nonspecific: (Operation error) which is raised by Directory Service class of
..Net. There is no Access Denied or any other meaningful thing. I am really
confused!!

Thanks
Reza

"Ken Schaefer" wrote:

> AFAIK, Kerberos should work across forests, assuming you have the necessary
> forest trusts in place and appropriate delegation is configured (if
> required). How else does a user get access to resources in a remote forest?
>
> Cheers
> Ken
>
> --
> Blog: [url]www.adopenstatic.com/cs/blogs/ken/[/url]
> Web: [url]www.adopenstatic.com[/url]
>
>
> "Reza" <Reza@discussions.microsoft.com> wrote in message
> news:66502016-8952-4E9A-B84D-870B70FB8615@microsoft.com...
> : Hi
> :
> : I have made a one way trust between my forest and my cutomer's forest. I
> : have developed a web application in my forest. My customer tries to
> connect
> : to my web application from his forst, does something in my forest (I have
> set
> : the persmission for him) and comes back to his forest to do something
> threre.
> : The problem is in the last step which fails because it is more than one
> hop
> : and Kerberose does not work across forests. Anybody knows any solution?
> How
> : can I access network resources in 2 different forests through a single web
> : application?
> :
> : Regards
> : Reza
>
>
>